• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
R Negi & Company, Chartered Accountants

R Negi & Company, Chartered Accountants

R Negi & Company, Chartered Accountants

  • Home
  • About Us
  • Blog
  • Contact Us
  • Income Tax
  • GST
  • Companies Act

SA 402 – Audit Considerations Relating to an Entity Using a Service Organisation

February 21, 2026 by CA Reema Negi

SA- 402

Introduction

SA 402 applies when an entity uses a service organisation to perform functions that are relevant to financial reporting. These services may include payroll processing, cloud accounting, IT infrastructure, data management, or transaction processing.

This Standard explains how the auditor applies SA 315 (Identifying and Assessing the Risks of Material Misstatement) and SA 330 (Responses to Assessed Risks) in situations where activities are outsourced.

When an entity depends on a third party for critical processes, the auditor must evaluate how those services affect internal control and financial statements.

Objectives of the Auditor

The auditor must achieve the following objectives:

1. Obtain an Understanding of the Services

First, the auditor obtains a clear understanding of:

  • The nature of services provided by the service organisation
  • The significance of those services to the user entity
  • The impact of those services on internal control relevant to the audit

The auditor uses this understanding to identify and assess the risks of material misstatement.

2. Design and Perform Responsive Procedures

After assessing the risks, the auditor designs and performs audit procedures that directly address those risks.

Accordingly, the audit approach must reflect the level of reliance placed on the service organisation.

Understanding Internal Controls at the Service Organisation

The auditor evaluates:

  • Controls established at the service organisation
  • The interaction between service organisation controls and user entity controls
  • Complementary user entity controls that management must implement

In many engagements, the auditor may obtain evidence through:

  • Type 1 or Type 2 service auditor’s reports (such as SOC 1 reports)
  • Direct communication with the service organisation
  • Additional substantive or control testing

However, even if the auditor considers the service auditor’s work, the user auditor retains full responsibility for the audit opinion.

Risk Assessment and Professional Judgment

The auditor applies professional skepticism while assessing:

  • IT general controls
  • Automated processing systems
  • Data security and cybersecurity risks
  • Outsourced financial reporting processes

If the service organisation processes significant transactions, the auditor increases the depth of testing and documentation.

Therefore, proper evaluation of third-party risk forms a critical part of audit planning.

Inability to Obtain Sufficient Appropriate Audit Evidence

If the auditor cannot obtain sufficient appropriate audit evidence regarding the services provided by the service organisation, the auditor must modify the opinion in accordance with SA 705 (Modifications to the Opinion in the Independent Auditor’s Report).

Depending on materiality and pervasiveness, the auditor may issue:

  • A qualified opinion, or
  • A disclaimer of opinion

Thus, access limitations or inadequate evidence can directly affect the audit report.

Reference to the Work of a Service Auditor

When Expressing an Unmodified Opinion

The auditor shall not refer to the work of a service auditor in the audit report when expressing an unmodified opinion unless law or regulation requires such reference.

If law or regulation requires reference, the auditor must clearly state that such reference does not reduce the auditor’s responsibility for the opinion.

When Explaining a Modified Opinion

If the auditor refers to the service auditor’s work to explain a modification, the report must clearly indicate that the reference does not diminish the auditor’s responsibility.

Professional accountability always remains with the user auditor.

Documentation Requirements

The auditor must document:

  • The understanding of the service organisation and its environment
  • Identified risks of material misstatement
  • The basis for reliance on service auditor reports, if any
  • The nature, timing, and extent of audit procedures performed

Clear documentation supports audit quality and compliance with professional standards.

Conclusion

SA 402 ensures that outsourcing does not weaken audit assurance. The auditor must understand the services performed by the service organisation, evaluate related controls, assess risks, and design appropriate audit procedures.

Even when a third party performs significant functions, the user auditor remains fully responsible for expressing an independent and professional audit opinion.

Filed Under: Companies Act

Primary Sidebar

Latest Posts

  • Form 16 and 16A Replaced: New Forms 130 and 131 Explained July 10, 2026
  • Income Tax Deduction List: Old Regime vs New Regime July 8, 2026
  • TCS under Income Tax Act: Complete Guide for Buyers and Sellers July 7, 2026
  • Foreign Donation Rules for NGOs in India July 6, 2026
  • EPF Rules 2026 Explained July 4, 2026
  • How to Register a Section 8 Company in India July 3, 2026
  • What is Indexation? Simple Tax Guide July 2, 2026
  • Tax on Cryptocurrency in India July 1, 2026
  • How to Register a Trademark in India Online June 30, 2026
  • Import Export Code (IEC) June 29, 2026
  • Agricultural Income Tax Rules June 25, 2026
  • GST on Export of Services June 24, 2026
  • AI in Stock Market Trading June 22, 2026
  • Repatriation of Funds from India by NRIs June 20, 2026
  • Residential Status under Income Tax Act June 19, 2026
  • FEMA Compliance for NRIs Investing in India June 18, 2026
  • How to Register on TRACES June 17, 2026
  • How to Choose the Right ITR Form June 16, 2026
  • Stamp Duty Value vs Actual Sale Value June 15, 2026
  • Tax on Gift of Property in India June 12, 2026

Featured posts

Form 16 and 16A Replaced New Forms 130 and 131 Explained

Form 16 and 16A Replaced: New Forms 130 and 131 Explained

Income Tax Deduction List Old Regime vs New Regime

Income Tax Deduction List: Old Regime vs New Regime

TCS under Income Tax Act Complete Guide for Buyers and Sellers

TCS under Income Tax Act: Complete Guide for Buyers and Sellers

Foreign Donation Rules for NGOs in India

Foreign Donation Rules for NGOs in India

EPF Rules 2026 Explained

EPF Rules 2026 Explained

How to Register a Section 8 Company in India

How to Register a Section 8 Company in India

What is Indexation Simple Tax Guide

What is Indexation? Simple Tax Guide

Tax on Cryptocurrency in India

Tax on Cryptocurrency in India

How to Register a Trademark in India Online

How to Register a Trademark in India Online

Import Export Code (IEC)

Import Export Code (IEC)

Agricultural Income Tax Rules

Agricultural Income Tax Rules

Copyright © 2026